– Dhananjay Rokde – Global Head – Information Security, Cox & Kings Group
A generic definition of a crime would be an act that is in violation of the applicable laws. A crime / criminal offense may essentially hurt an individual or the community (city or a nation) at large. This concept has now been taken to the next level with rising popularity of cybercrimes. In recent years, there are several analyst reports on the increasing trends of cybercrimes. Of late; several interchangeable terms for cyber crimes such as, computer crime, cyber fraud, internet crime, cyber exploitation, electronic rackets and many others, have emerged. Interestingly; there is no such term as a “cybercrime”, as per any Indian law.
In ‘The State of Information Security Survey -India, 2013’, a report by PWC it reported that the size of the information security market in India in 2012 was Rs 1,200 crore and their estimate for 2013 is Rs 1,415 crore, a growth of 18 per cent. According to the survey, medium businesses with revenues ranging from Rs 500 crore to Rs 5,000 crore, saw an estimated 17 per cent increase in security spending in 2011-12 followed by small businesses with revenues less than Rs 500 crore where the spending increased by 14 per cent. This proves that organizations are not only aware of the menace of cyber threats and attacks but are also focusing on addressing these issues.
There are local laws in almost all countries pertinent to cybercrimes and their admission in the legal system for trials. However, until an actual “terrorist intent” is detected; these perpetrators are never addressed as criminals – instead as white collar criminals or simply as ‘Hackers’. White collar crimes are generally victimless crimes and do not get the attention in society, as much as crimes of theft, hate, violence narcotics and terrorism. However in terms of actual state or national revenue lost, white collar crimes amount to just as much. A hack or a cyberattack can lead to organizations losing data worth millions and can have their revenues compromised. It is also because these criminals are often educated and have jobs in reputed organizations, that gives them leeway. They don’t get the same amount negative embellishment or social interest compared to other criminals. The damage that these crime do is often worse and has far-reaching effects.
To illustrate this let us look at an average cybercrime caused by a DoS (Denial of Service) or a DDoS (Distributed Denial of Service, which is often an organized cybercrime). Web applications belonging to financial institutions like banks, stock exchanges, government bodies & universities remain hot-targets for such attacks. A simple DDoS on a banking site affects all the banks customers and parties associated to the bank. Very simply put it is a two-way damage affecting the payee and the recipient of funds. In many cases this can mean the difference between life and death. Clearly this is NOT a victimless crime. Because the victims are not around to lodge a complaint, or do not even know in most cases that they have been exploited.
The sheer penetration of internet, dependence on it and consumer-convenience of internet banking, e-commerce, trading and online management systems is what often provokes cyber criminals to commit crime. Services like internet baking, airlines bookings / check-ins are no longer a luxury; but life essential amenities. The outage of such services often causes a lot of media hype and gets the attackers exactly the attention they are looking for. Hacktivist groups and cyber vandals are constantly on lookout for such easy consumer based targets.
Just imagine; you are stuck in a blizzard cannot check into a hotel because your credit card limit has abruptly maxed-out, or you are unable to transfer funds back home for an emergency, or not being able to charge your health insurance policy because the networks are down. These are scenarios that are often not taken into account while defining a punishment for the act of a cybercrime. It has also been my personal experience that during such attacks the target banks and application / internet / telecom service providers often do not disclose the occurrence of such attacks; to avoid public embarrassment. It is because there is substantial lack of transparency in the reporting of such incidents by the affected parties that makes it increasingly difficult to catch the culprits. It takes the average victims more than a week to determine if they have actually been exploited. The combination of the two factors mentioned above along with the time-delay assists the criminals to get away.
Law enforcement agencies and legal bodies need to realize a simple truth – “Cyber crimes are actually capable of taking lives”. While the statement may sound a little exaggerated, the actual ripple effects of cyber crimes are felt very late. The impact of a cyber crime is far more than what can be seen at the outset. It is not simply about a unavailability of services or some sites being defaced. This is somewhat like the “Butterfly Effect” theory.
Cyber crimes are becoming costlier by the day. They are costing the global industrial landscape billions of dollars. Such crimes also have severe fall out effects such as permanent loss of reputation, loss of jobs and an overall negative hit on the economy. Not too long ago, Microsoft had officially put up a bounty of USD 250,000 for apprehending the creators of the MSBlast malware.
The Indian IT Act has come a long way from where it began. However it needs to become stringent in two ways – by enforcing onus on the authorities like the police and empowering them with the right tools and knowledge to apprehend such criminals, and also by increasing the severity of the applicable punishments. While harsher sentences are not the complete solution, they are a very strong deterrent. Frost & Sullivan reveals that nearly 80 percent of Indian business enterprises have reported data theft through online hacking and that the cost of computer crimes has reached a whopping USD 10 billion – India is ranked fifth in terms of ecommerce security breaches. These criminals should be tried & prosecuted under the extent of the law. There also needs to be inter-agency synergy between the local cybercrime authorities and the bodies such as the Interpol, NSA, and the CERT.